Can DNS be protected from spikes in attacks?

By William Jackson

Jan 23, 2013

Denial of service attacks against the Domain Name System increased by 170 percent from 2011 to 2012, according to a recent analysis of security trends, but despite this growth little has been done to guard against them.

DNS is a ubiquitous and promiscuous service that underlies much of the Internet’s functions, mapping domain names to numerical IP addresses and relying on open, stateless protocols that have made it an easy target for DOS attacks.

Effective defense will require imposing rules for the types and numbers of queries and connections DNS servers will accept, said Carl Herberger, vice president of security solutions at Radware.

“The technology is out there, but it is not common,” said Herberger, who participated in the study. To date, the common response to denial of service attacks against DNS has been overprovisioning capacity. But at some point this method becomes ineffective, as the number and sophistication of attacks increases. “We’ve gotten to that point,” he said.

The increase in DNS attacks was noted in Radware’s Global Application & Network Security Report for 2012. Although DNS attacks are not new, their use has grown over the past two years because the attacks bypass defenses against traditional distributed DOS attacks that overwhelm network resources with high volumes of malicious traffic. DNS is a different type of network service because it relies on stateless protocols that can be used to deliver attacks without establishing connections and it is open to unqualified or unauthorized queries. And because a small query can generate a much larger response, attacks can be highly asymmetrical.

In August 2012, an eight-hour DNS DDOS attack against AT&T took down the company’s site and disrupted access to customers on AT&T’s network. An attack against Internet domain name registrar GoDaddy in November took down domains using its DNS service.

The U.S. government has been a leader in advancing DNS security, and the Office of Management and Budget mandated the deployment of the DNS Security Extensions on .gov domains by 2010. As of Jan. 22, 76 percent of tested government domains had DNSSEC operational, according to the National Institute of Standards and Technology. This is not complete compliance, but it is far ahead of the 1 percent of tested private-sector domains that are using DNSSEC.

Unfortunately, even wider use of DNSSEC would not solve the latest threat, Herberger said. “It never was designed to prevent denial of service attacks,” but rather to protect the integrity of responses to DNS queries threatened by cache poisoning attacks. “The potential problem with cache poisoning hasn’t materialized.”

The change in threat requires a change in defenses, imposing rules on traditionally open, unquestioning DNS servers. The number and type of queries accepted could be defined and limited, and servers could challenge queries to determine if they exhibit malicious behavior. The challenge could consist of something as simple as dropping a first query and waiting to see if it is repeated and in what time. The timing of a second query could help indicate if it is being generated by a bot.

This could be done with a minimum of overhead and delay, Herberger said, and could be cheaper and more effective than overprovisioning.

inside gcn

Reader Comments

Thu, Jan 24, 2013
Sandro Lima - Cloudshield Technologies

In addition to the ineffectiveness against advanced DNS attacks, overprovisioning has also economical (increase O&M cost and complexity) and technical (increase of cache miss rate/latency on recursive servers) drawbacks. DNS specific firewall solutions with DNS query type based rate limiting can help providing the fine-grained control over DNS traffic recommended by the article.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.